Re: IPv6 ACL Help.

kevin.hu · ‎02-22-2010

Hi,

We have a new policy to block IPv6 routing header extension type 0, 1 and 3-255. This is what I have came up:

ipv6 access-list inbound

deny ipv6 any any routing-type 0 log

deny ipv6 any any routing-type 1 log

However, I don't want to type every single ACL entry from 3 to 255. From the CLI, I don't see a way to do 3 - 255. Does anyone know?

So it would look like this:

ipv6 access-list inbound

deny ipv6 any any routing-type 0 log

deny ipv6 any any routing-type 1 log

deny ipv6 any any routing-type 3-255 log

Thanks.

Jerry Ye · ‎02-22-2010

You only want to permit routing-type 2? You can do the following

ipv6 access-list inbound

permit ipv6 any any routing-type 2 log

The ipv6 ACL will have an implicit deny ipv6 any any at the end.

Regards,

jerry

kevin.hu · ‎02-23-2010

Thanks Jerry. But I still would like to know some kind of "range" command within IPv6 ACL. Anyone else knows?

Giuseppe Larosa · ‎02-23-2010

Hello Kevin,

current command reference does not provide a range option for routing-type a specific value is expected

see

http://www.cisco.com/en/US/docs/ios/ipv6/command/reference/ipv6_10.html#wp2268514

also because only first values have been defined for real use:

integer in the range from 0 to 255 representing an IPv6 routing header type. Possible routing header types and their corresponding routing-number value are as follows:

•0—Standard IPv6 routing header

•2—Mobile IPv6 routing header

By the way, Jerry's solution should work well and shows how to deal with this limitation

if you want to add a third line to use log option you could use an explicit deny without any routing-type option.

Permitted routing type values are matched by previous lines

Edit:

in a previous line you can permit routing-type 2 ( I see is the only one you are interested to permit)

a second line can deny all the rest with log option

Hope to help

Giuseppe